Split Zip or 7-Zip archive files are not getting detected
Article ID: 218669
Updated On:
Products
Issue/Introduction
You are using the Split to volumes option in 7-Zip to create a split archive file which is broken into multiple files for example filename.7z.001, filename.7z.002, filename.7z.003, you attach all three files to an email or upload to a website which should trigger an incident for a policy with either a rule detecting the content of the archived file within or a rule detecting the file type 7-Zip.
Environment
Release : 15.7.x
Component : Detection
Cause
The split multiple 7-Zip files are not supported probably because we cannot do content extraction on the split content of each individual file alone and the split file types does no match that of the single archived 7-Zip file signature.
Resolution
Should you need to detect split files using a filename rule to detect the extension rather then trying to detect the content or the 7-Zip file type.
For example for files with *.7z.001, *.7z.002, *.7z.003, *.7z.004, *.7z.005 setup a rule as follows:
Alternatively consider using Custom Detection might be an option, for details please see Customization Guide for your version.
For v15.8 - Symantec Data Loss Prevention Detection Customization Guide, Version 15.8
For v15.7 - Symantec Data Loss Prevention Detection Customization Guide, Version 15.7
Additional Information
For this functionality we have an open Feature Request with our product management as follows:
Ref: PM-2892 - Support subfile extraction for split multi-part 7-Zip files
If you would like to endorse this request please notify our Technical Support who can add your organisation.
Feedback
